🛡️ SecOps

Kyber Ransomware Deploys Dual Windows and VMware ESXi Variants — Claims Post-Quantum Encryption

A new ransomware operation named Kyber is targeting enterprise Windows servers and VMware ESXi infrastructure with two distinct variants analysed by Rapid7. The Windows variant written in Rust implements genuine Kyber1024 post-quantum key encapsulation; the ESXi variant falsely markets the same capability while using ChaCha8 and RSA-4096. Both variants share Tor-based ransom infrastructure and have been deployed simultaneously on the same networks.

4 min read
#ransomware#kyber#post-quantum#vmware-esxi#windows#hyper-v#rapid7

A new ransomware operation calling itself Kyber has emerged, deploying two distinct variants targeting Windows file servers and VMware ESXi infrastructure simultaneously. Rapid7’s incident response team retrieved and analysed both variants in March 2026 following an enterprise compromise, finding significant technical differences between them. The operation is notable for its claimed use of post-quantum cryptography — a claim that holds partially true for the Windows variant but not for the ESXi encryptor.

Dual Variant Architecture

Both Kyber variants were deployed on the same network during the same campaign, sharing an identical campaign ID and Tor-based ransom payment infrastructure. The affiliate deploying them used a simultaneous targeting approach: encrypt Windows file servers and ESXi hypervisors at the same time to prevent recovery through infrastructure failover.

Windows variant (Rust): The Windows encryptor is written in Rust and implements genuine Kyber1024 key encapsulation combined with X25519 Diffie-Hellman for key protection. Kyber1024 is a NIST-standardised post-quantum key encapsulation mechanism (KEM). The ransom note’s post-quantum encryption claim is accurate for this variant — the key protection layer uses algorithms designed to resist quantum computer attacks.

ESXi variant (Linux): The ESXi encryptor targets VMware datastores and uses ChaCha8 for file encryption with RSA-4096 for key wrapping — neither algorithm is post-quantum resistant. Despite the ransom note advertising post-quantum encryption, Rapid7 confirmed this claim is false for the Linux variant. The ESXi encryptor also includes capabilities to terminate running virtual machines before encryption and to deface the ESXi management web interface to display the ransom note.

The Windows variant additionally includes self-described “experimental” functionality targeting Hyper-V environments, indicating that the operator is testing coverage of Microsoft virtualisation infrastructure alongside VMware.

Post-Quantum in Ransomware — What It Actually Means

The Kyber ransomware’s Kyber1024 implementation on Windows raises a practical question: does post-quantum key encapsulation in ransomware change the incident response calculus?

For organisations that currently retain encrypted files with the hope of future decryption — either via quantum computer-assisted brute force or future key recovery — a Kyber1024-protected key wrapping layer closes that option for the Windows variant. The key cannot be recovered by brute force even with theoretical quantum computing capability. This is a marginal consideration for most enterprises, but it is a signal that ransomware operators are beginning to evaluate post-quantum migration paths alongside their targets.

For immediate response, the encryption algorithm used for files (AES or ChaCha variants in both cases) is not what is being replaced — the key protection layer is. Recovery without paying the ransom still depends on having unencrypted backups, not on breaking the encryptor’s cryptography.

ESXi Targeting Pattern

ESXi-specific ransomware has been a persistent threat since 2022. Kyber’s ESXi variant follows the established playbook: target the hypervisor layer to maximise blast radius across all virtual machines simultaneously. The datastore encryption approach bypasses per-VM defences by operating at the storage layer rather than within individual guest operating systems.

The management interface defacement is designed to prevent rapid ESXi host recovery via the web console — administrators who attempt to access the ESXi management UI after compromise see the ransom note rather than the management interface, slowing the recognition and recovery process.

  • Harden ESXi management interfaces: Restrict access to the ESXi management interface (port 443) to administrative jump hosts only; do not expose it to general internal networks. This limits the attacker’s ability to deface the interface and forces them to route through additional controls.
  • Segment hypervisor infrastructure: ESXi hosts should not have direct SMB/NFS access from workstations or general servers. Ransomware deployment to ESXi typically arrives via compromised administrative credentials — limiting lateral movement paths reduces the attack surface.
  • Verify Hyper-V exposure: The Windows variant’s experimental Hyper-V targeting capability means environments using Hyper-V should be assessed for the same segmentation controls applied to ESXi — Hyper-V management interfaces should not be directly reachable from compromised workstation network segments.
  • Audit backup accessibility: Verify that backup infrastructure is not accessible from the same network segments as production ESXi hosts and Windows servers — ransomware operators routinely target backup solutions before encrypting production data.
  • Review post-quantum key management: Enterprises evaluating post-quantum migration paths should note that Windows-based Kyber ransomware now uses Kyber1024 key encapsulation — a data point for discussions about when post-quantum cryptography matters in practice.

Share this article